<p>Fields in a <code>Serializable</code> class must themselves be either <code>Serializable</code> or <code>transient</code> even if the class is
never explicitly serialized or deserialized. For instance, under load, most J2EE application frameworks flush objects to disk, and an allegedly
<code>Serializable</code> object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers. In
general a <code>Serializable</code> class is expected to fulfil its contract and not have an unexpected behaviour when an instance is serialized.</p>
<p>This rule raises an issue on non-<code>Serializable</code> fields, and on collection fields when they are not <code>private</code> (because they
could be assigned non-<code>Serializable</code> values externally), and when they are assigned non-<code>Serializable</code> types within the
class.</p>
<h2>Noncompliant Code Example</h2>
<pre>
public class Address {
  //...
}

public class Person implements Serializable {
  private static final long serialVersionUID = 1905122041950251207L;

  private String name;
  private Address address;  // Noncompliant; Address isn't serializable
}
</pre>
<h2>Compliant Solution</h2>
<pre>
public class Address implements Serializable {
  private static final long serialVersionUID = 2405172041950251807L;
}

public class Person implements Serializable {
  private static final long serialVersionUID = 1905122041950251207L;

  private String name;
  private Address address;
}
</pre>
<h2>Exceptions</h2>
<p>The alternative to making all members <code>serializable</code> or <code>transient</code> is to implement special methods which take on the
responsibility of properly serializing and de-serializing the object. This rule ignores classes which implement the following methods:</p>
<pre>
 private void writeObject(java.io.ObjectOutputStream out)
     throws IOException
 private void readObject(java.io.ObjectInputStream in)
     throws IOException, ClassNotFoundException;
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://cwe.mitre.org/data/definitions/594.html">MITRE, CWE-594</a> - Saving Unserializable Objects to Disk </li>
  <li> <a href="https://docs.oracle.com/javase/6/docs/api/java/io/Serializable.html">Oracle Java 6, Serializable</a> </li>
  <li> <a href="https://docs.oracle.com/javase/7/docs/api/java/io/Serializable.html">Oracle Java 7, Serializable</a> </li>
</ul>

